When I first needed to use certificates to secure my WCF service, I didn't really understand how certificates worked, how to create them, and where they go. A lot of the tutorials on the web just give you a raw makecert command that you black-box and trust works to create your certificate. But do you really know what it's doing? This is what I will explain today, although not in excruciating detail. Just enough to know what's going on.

Firstly, a few concepts. Certificates are a type of identification that try to ensure that you know who you are talking to, and that it is not somebody else just impersonating the person you are expecting to be talking to. In more technical terms, a certificate binds together a name (an identity) and a public key.

But if anyone could just create their own certificates, they could declare themselves to be anyone, right? For example, I could create a certificate whose name is "google.com", but I'm not really Google. This is where Certificate Authorities step in. These organisations are able to issue certificates to people, thereby ensuring that the identity declared on the certificate is actually the identity of the person holding the certificate. For example, if I went to Thawte (or some other authority) and said I wanted a certificate for "google.com", they would tell me to get stuffed (perhaps more politely, though).

So how does this authority-issuing-thing work? A certificate authority themselves have a certificate with which they digitally sign all the certificates they issue. My computer (and pretty much everyone's) has a store of the certificates of these different certificate authorities. The computer then knows that if its sees any certificate that has been signed by one of these trusted certificate authorities' certificate, then the computer should trust that certificate. This concept is called "Chain Trust". The "chain" part refers to the "chain" of certificates-signing-certificates.

So during development, we may want to create certificates for our own purposes and then implicitly trust them. We don't really want to go to a certificate authority and get a signed certificate, because that costs money and we're cheap. Instead, what we can do is create our own certificate authority and then issue certificates to ourselves to use. We place this fake certificate authority's certificate in our computer's trusted certificate authorities store thereby causing our computer to implicitly trust all the certificates that we issue from that authority.

Note that this opens up a security hole on your PC, because if anyone was able to get a hold of your certificate authority certificate (and its private key, with which you sign certificates), they could create certificates that your computer would silently trust. Of course, this isn't too big a deal if you just slap a nice big password on your private key, and when you're finished developing, remove the fake certificate authority certificate from your trusted certificate store.

To see what certificates you currently have on your PC, open MMC (Run->mmc.exe), click "File->Add/Remove Snap-in", select Certificates from the left list, click "Add". Select "My user account", which will mean the snapin will show certificates that are stored specifically for your Windows user account. Select Certificates from the list again and "Add" it, then this time select "Computer account". This snapin will show certificates belonging to the machine specifically, and will apply across all accounts. Press Finish, then OK. I suggest you Save this MMC arrangement, so you can get back to it more easily in the future (File->Save).

So now we need to create our own Certificate Authority certificate. Open the Visual Studio Command Prompt as Administrator. CD to some place you want to store your certificate files. Here's the command for makecert to create your certificate authority, along with an explanation of each of the options you pass to makecert:

makecert -n "CN=My Awesome Certificate Authority"
-cy authority
-a sha1
-sv "My Awesome Certificate Authority Private Key.pvk"
-r
"My Awesome Certificate Authority.cer"
-n : The certificate name. CN stands for Common Name and is the name that
identifies the certificate. For websites, this is their domain name.
-cy authority : Creates a certificate authority certificate
-a sha1 : Use the SHA1 algorithm
-sv : The private key to use, or create.
-r : Create a self-signed certificate (so that you are the root of the certificate chain)
*.cer : The filename to export to

Because you haven't created a private key before, the -sv option will create you one. Therefore, Makecert will ask you for a password that will lock the private key. Provide a nice strong one. When it then goes to use the private key, it asks you to re-provide that same password.

You can now install your new certificate authority certificate into the trusted store. To do this, simply go to your MMC console, right click on "Trusted Root Certification Authorities", go "All Tasks", then "Import". Select your new certificate, and when it asks you where to put the certificate, ensure that it goes into "Trusted Root Certification Authorities". Your computer now implicitly trusts all certificates signed by that new certificate authority.

Now we need to create a client certificate that is signed by our new certificate authority. You can do this one of two ways. The first way is to create a certificate and store it and its private key in the Windows Certificate Store (what you see in MMC). This is how you do that:

makecert -n "CN=myawesomesite.com"
-ic "My Awesome Certificate Authority.cer"
-iv "My Awesome Certificate Authority Private Key.pvk"
-a sha1
-sky exchange
-pe
-sr currentuser
-ss my
"myawesomesite.cer"
-n : The certificate name. CN stands for Common Name and is the name that
identifies the certificate. For websites, this is their domain name.
-ic : The certificate to use as the root authority
-iv : The private key of the root authority certificate
-a sha1 : Use the SHA1 algorithm
-sky exchange : Create a certificate that can do key exchange
-pe : Makes the certificate's private key exportable
-sr : The certificate store location to hold the certificate (currentuser or localmachine)
-ss : The certificate store name. my is the Personal store
*.cer : The filename to export to

It will ask you for the certificate authority's private key's password, so that it can use the private key to sign your certificate. It then will store your certificate (and its private key) in the current user's Personal store. You should be able to see it in MMC. It will also create a copy of the certificate on the hard drive.

The other way you can create the certificate is to create it and its private key as files on the hard drive. You can then combine them into a single PFX (Personal Information Exchange) file, which can be imported into your certificate store if you wish. To do this, run this makecert command:

makecert -n "CN=myawesomesite.com"
-ic "My Awesome Certificate Authority.cer"
-iv "My Awesome Certificate Authority Private Key.pvk"
-a sha1
-sky exchange
-pe
-sv "myawesomesite.com Private Key.pvk"
"myawesomesite.com.cer"
-n : The certificate name. CN stands for Common Name and is the name that
identifies the certificate. For websites, this is their domain name.
-ic : The certificate to use as the root authority
-iv : The private key of the root authority certificate
-a sha1 : Use the SHA1 algorithm
-sky exchange : Create a certificate that can do key exchange
-pe : Makes the certificate's private key exportable
-sv : The private key to use, or create.
*.cer : The filename to export to

This will ask you for a password with which to lock the new private key you are creating for this certificate. It will also ask you for the password to the certificate authority's private key. It creates your certificate on the hard drive and also the private key in a PVK file.

To combine the private key and the certificate into a PFX file, run this command (this uses pvk2pfx):

This will create your PFX file, which you can import into your Personal store using MMC in a similar fashion as you did with the certificate authority certificate.

And that's it. You now have a trusted certificate authority and a certificate that is signed by that authority in your computer's store. You can now use them for development (for example, for WCF service security).

I am creating a wcf service that needs a certificate for encryption...It will be hosted in IIS. After creating the cert, i had read it needs to be given ASPNET permissions to function properly in this environment... is that the case?

Now on the client machines, we need to connect to this server machine and we need the RootTrustedCA to authorise our server. Hence I export the RootTrustedCA certificate along with the private key using the standard procedure from mmc as a .pfx file and import it to the client machine's mmc under local machine->trusted Root certificate. So far so goodNow I create a client certificate named Pablo on the client machine using the rootTrustedCA using this commandline makecert -ss MY -sky exchange -sr currentuser -n "CN=Pablo" -in RootTrustedCA -is ROOT -e 01/01/2028

Pablo certifciate is generated and placed under Currentuser->Personal->certificates and also shows issuer to be RootTrustedCA

But then when we try to connect using IE from client to server as http://servername remember servername here is (%ComputerName%), we dont connect. It throws http 403 error i.e. forbidden.

I am not able to understand this . I have a limitations....I dont have a pvk file for RootTrustedCA so cant use it and yet have to get all this working.

In some websites I read that pfx files should not be imported to local machine -> trusted root certificate store .....Is that correct ? However i tried importing it to current user->personal(as mentioned in those sites) but that also didnt solve my connection problem.

Can any of you please guide me on this issue. I believe generation of rootTrustedCA certificate on server machine and then exporting and furthur importing on client machine is perfectly fine. I feel Some issue is there in my pablo certificate generation on client machine . My connection code logs that certificate was found successfully. Please pour in some thoughts on this issue.